Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 14.0.0.Dev03
Affects Version/s: 12.1.10.Final
Component/s: Configuration, Security
Labels:
None

Steps to Reproduce:
Hide

Set:

<security-realm name="default"> <server-identities> <ssl> <keystore path="/etc/pki/java/keystore.jks" alias="*.internal.ansiblemiddleware.com" keystore-password="changeit" /> </ssl> </server-identities> <properties-realm groups-attribute="Roles"> <user-properties path="users.properties"/> <group-properties path="groups.properties"/> </properties-realm> </security-realm> </security-realms>

With the keystore path and password being correct, but the alias not existing.
Show
Set: <security-realm name= " default " > <server-identities> <ssl> <keystore path= "/etc/pki/java/keystore.jks" alias= "*.internal.ansiblemiddleware.com" keystore-password= "changeit" /> </ssl> </server-identities> <properties-realm groups-attribute= "Roles" > <user-properties path= "users.properties" /> <group-properties path= "groups.properties" /> </properties-realm> </security-realm> </security-realms> With the keystore path and password being correct, but the alias not existing.
Git Pull Request:
https://github.com/infinispan/infinispan/pull/10126

Description

When configuring SSL for hotrod and rest, the server starts with no errors or warning even if the 'alias' does not exist in the jks keystore.

Log contents:

2022-05-17 11:29:10,465 INFO  (main) [org.wildfly.openssl.SSL] WFOPENSSL0002 OpenSSL Version OpenSSL 1.1.1k  FIPS 25 Mar 2021
2022-05-17 11:29:10,479 INFO  (main) [org.infinispan.SECURITY] ISPN000946: Using OpenSSL Provider
[...]
2022-05-17 11:29:16,583 INFO  (ForkJoinPool.commonPool-worker-3) [org.infinispan.SERVER] ISPN080018: Started connector HotRod (internal)
2022-05-17 11:29:16,787 INFO  (main) [org.infinispan.SERVER] ISPN080018: Started connector REST (internal)
2022-05-17 11:29:17,100 INFO  (main) [org.infinispan.SERVER] ISPN080004: Connector SINGLE_PORT (default) listening on 0.0.0.0:11222
2022-05-17 11:29:17,100 INFO  (main) [org.infinispan.SERVER] ISPN080034: Server 'site1-datagrid1(site-id=site1, machine-id=site1-datagrid1)' listening on [https://0.0.0.0:11222|https://0.0.0.0:11222/]

But the SSL port is not operational:

# curl -v -v https://localhost:11222/rest/v2/cache-managers/default/health/status
 *   Trying 127.0.0.1:11222...
 * Connected to localhost (127.0.0.1) port 11222 (#0)
 * ALPN, offering h2
 * ALPN, offering http/1.1
 * successfully set certificate verify locations:
 *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
 *  CApath: none
 * TLSv1.3 (OUT), TLS handshake, Client hello (1):
 * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:11222 
 * Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:11222

# openssl s_client -connect  localhost:11222
CONNECTED(00000003)
write:errno=0
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 0 bytes and written 235 bytes
Verification: OK
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
—

It should instead WARN or ERROR about the problem.

Attachments

Activity

People

Assignee:: Jose Bolina

Reporter:: Guido Grazioli

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2022/05/17 1:06 PM

Updated:: 2022/07/13 6:44 PM

Resolved:: 2022/05/19 12:28 PM